How to Build a Security Culture Within Your Company

Building a work culture, from employee expectation to benefits, can be essential to moving the company’s mission forward. And now, with increasing security threats, it’s important to focus on building a ‘security culture’ within your team as well, says Nick Santora, CEO of cybersecurity education platform Curricula. Studies have found that 95 percent of cybersecurity incidents occur due to human error.

“Security culture is the same thing [as company culture]. It’s a common goal associated with that group to protect against threats. It’s an integral part of having your team defend against all of the bad guys that are out there and protect the organization,” says Santora.

Santora shares exactly how to build a robust company security culture to fend off phishing attacks and why positive reinforcement can help your employees succeed against hackers.

It takes time — sometimes, overtime

“When you think about a new employee coming into a company, they’re typically introduced to the company culture — and that’s more than a one-day activity. Over time, they start to understand and incorporate themselves as part of that culture,” says Santora. “But then if you think about security, typically it’s a couple of pieces of information about why hackers are bad and don’t click things, and that’s it.”

Santora says that giving the same priority to security as teams give to onboarding can help develop good security habits for new, and current, employees. “I wouldn’t tell you, well, one time a year I’m going to ask you to run on a treadmill for an hour and then for the rest of the year you’re going to be a healthy person.”

Make it a habit

“You’re not going to be a secure company if you’re just going through something once a year. It has to be a daily habit that the entire company works on together… it has to be constant content throughout the year that’s relatable to people.”

“[That includes] conversations about security both at work and at home and how these concepts apply to them, and how other organizations just like you are being targeted and these types of attacks and why,” says Santora. “If you can start building a conversation at that level, it gets people to actually incorporate that as part of your culture.”

Test to see if the security culture is effective — often

Building awareness through mock phishing simulations can help test the concepts you want instilled within your security culture. It targets employees to see how they would react if this were a real-world event.

But, make sure to think beyond testing, says Santora.

“A mistake that companies that have chosen to do mock phishing tests make is that sometimes they throw tests at employees over and over again. However, employees aren’t learning the concepts as they often fail again and again,” he says. “You have to educate them about what to look out for, why to look out for it. It’s a great way to really understand the risk of your organization being exposed to a phishing or other social engineering-type attack.”

Use positive reinforcement

“You have to treat the employees in a positive way. Like a student that’s struggling in class, you would pay more attention to them because they need more help and you speak positively and guide them in the right direction,” he says. “Often employees weren’t taught these topics and sometimes the company decides to yell or reprimand them for doing so instead of actually helping them.”

“That’s the number one point: always treat your employees with positive behaviors and guide them in the right direction instead of giving them a negative reinforcement. And you’ll see a lot better results in the long run.”

Santora encourages companies to provide incentives to employees for doing well on phishing simulations, versus creating competitions. His reasoning? Treating security as a team sport helps build a cohesive security culture — meaning no weak links in the security chain.